The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.

This requires filesystem data to determine whether files have been created.

ATT&CK Detection

Technique Tactic Level of Coverage
Credential Dumping Credential Access Low

Data Model References

Object Action Field
file create file_name
file create image_path

Implementations

Procdump - File Create (Pseudocode)

This base pseudocode looks for file create events where a file with a name similar to lsass.dmp is created by the Windows task manager process.

files = search File:Create
lsass_dump = filter files where (
  file_name = "lsass*.dmp"  and
  image_path = "C:\Windows\*\taskmgr.exe")
output lsass_dump

Procdump - File Create (Splunk, Sysmon native)

A Splunk/Sysmon version of the above pseudocode.

index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"

Procdump - File Create (Eql, EQL native)

An EQL version of the above pseudocode.

file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"

Unit Tests

Test Case 1

  1. Open Windows Task Manager as Administrator
  2. Select lsass.exe
  3. Right-click on lsass.exe and select “Create dump file”.